Advanced URL Filtering
URLs Classified as Not-Resolved
Table of Contents
URLs Classified as Not-Resolved
Follow these steps to troubleshoot URLs classified as
not-resolved. Not-resolved designation typically signals PAN-DB
cloud connectivity issues.
| Where can I use this? | What do I need? |
|---|---|
|
Note: Legacy URL filtering licenses are
discontinued, but active legacy licenses are still
supported.
|
URLs are classified as not-resolved if
your firewall cannot connect to the PAN-DB URL filtering cloud service
to perform lookups, or if PAN-DB takes too long to respond to URL
queries. The cloud connection status and URL classification does
not apply to expired subscription licenses or unlicensed users.
For a detailed explanation of the URL categorization process, see How URL Filtering Works.
Use
the following workflow to troubleshoot why some or all of the URLs
being identified by PAN-DB are classified as Not-resolved:
- Check the PAN-DB cloud connection by running the show url-cloud status CLI command.The Cloud connection: field should show connected. If you see anything other than connected, then any URL that does not exist in the management plane cache will be categorized as not-resolved. To resolve this issue, see PAN-DB Cloud Connectivity Issues.If the cloud connection status shows connected, check the current utilization of the firewall.If firewall utilization is spiking, URL requests may be dropped (may not reach the management plane) and will be categorized as not-resolved.To view system resources, run the show system resources CLI command. Then, view the %CPU and %MEM columns.You can also view system resources on the System Resources widget on the Dashboard in the web interface.Consider increasing the Category lookup timeout (sec) value.Increasing the category lookup timeout value improves the likelihood that the URL category gets resolved and reduces the frequency of not-resolved URLs in logs.
- Select and edit the URL Filtering settings.Click OK and Commit your changes.You can also update the value using the set deviceconfig setting ctd url-wait-timeout CLI command.If the problem persists, contact Palo Alto Networks support.
